You need to perform a health check on Symantec Protection Engine (SPE) to determine if it is online and able to accept scan requests.

SPE configured to use ICAP

To determine if Protection Engine is up and available to service scan requests, your ICAP client should send it an ICAP OPTIONS request. This method is preferred over any type of ping health check.

This needs to be an ICAP request sent by an ICAP client, such at the Protection Engine SDK or Command-Line Scanner.

An options request looks like the following (replace <placeholders> with the appropriate values for your environment):

OPTIONS icap://<ip address>:<port>/<ICAP Service> ICAP/1.0

For example, if you scan using the avscan service, the ICAP request will look like the following:

OPTIONS icap://192.0.2.2:1344/avscan ICAP/1.0

If SPE is configured to use Secure ICAP, you need to establish a TLS connection before sending the OPTIONS request. If SPE is online and able to accept requests, it will send an ICAP response with general ICAP and scanner information.

This is an example as seen on a packet capture monitoring ICAP port 1344:

ICAP/1.0 200 OK
Date: X Ju  X 07:XX:15 202X GMT
Methods: RESPMOD, FILEMOD
Service: Symantec Protection Engine/9.0.1.5
Service-ID: Respmod AV Scan
ISTag: "EFC62..D246F87CF4147"
X-Definition-Info: 202XXX04.007
Max-Connections: 24
X-Allow-Out: X-Outer-Container-Is-Mime, X-Infection-Found, X-Definition-Info, X-AV-License
X-Allow-Out: X-Violations-Found
Allow: 204
Options-TTL: 3600
Preview: 4
Transfer-Preview: *
X-AV-License: 1
Encapsulated: null-body=0

To determine how to configure your connector or load balancer to send an OPTIONS request, please reach out to its vendor.

To turn off URL Category enumeration in OPTIONS request, disable the setting as described here:

https://techdocs.broadcom.com/us/en/symantec-security-software/endpoint-security-and-management/symantec-protection-engine/9-0-0/Core-server-only-mode/modify-the-icap-options-attribute-list-extension-v128513505-d4995e28535.html